With the changing economic context that relies more and more on information technologies which need to be secured, the title Information Security Expert has become shiny and luxurious that many have become quite curious about this category of professionals.
In the following, I will share with you what the life of an information security expert looks like, considering I have been surrounded by many of them for years.
The drive and motivation
Upon the evolvement of the number of cybersecurity attacks a few years ago, the light was shed on the domain of cybersecurity in particular, and subsequently, on information security in general, after the higher management of companies around the world also got interested.
Profiles belonging to this discipline were rather required, and thus more students and professionals were seduced to change their field and acquire the most sought-after roles in the job market.
It goes without saying that this category is attracted by a good life, a good role in the company, and a substantial salary.
On the other hand, we find people, students, and professionals, who show unconditional passion for cybersecurity and information security.
Unconditional because they know no conditions nor limits to learn about a new vulnerability or a method to bypass a security measure. Time, sleep, and money are easy to afford when it comes to a CTF (Capture The Flag, a hacking competition) which is typically planned on weekends and commonly lasts all night long.
Is Information Security only about Information Security?
I have been speaking about cybersecurity and information security as if they are two separate things. As many of you may know, cybersecurity is about security related to technologies: laptops and desktops, servers, mobile phones, embedded systems, and many more. The focus is on the information indeed, but the condition is that it should be stored or treated by the above listed things.
Whereas information security focuses on the information regardless of the medium used to store or treat it. Whether the information is stored on a hard drive, written on paper, or in the head of an employee, it should be secured (yes, we can “secure” information within employees’ heads through clauses in their employment contracts called NDA: Non-Disclosure Agreement, and by adding mention to profession secrecy if applicable).
The other difference is that cybersecurity is managed at an operational level, while information security is managed from a governance level, but also at a managerial level and operational level for some processes.
Now, to answer the question asked in the title: no! Many standards and frameworks are serving as tools to manage information security, but an expert should also bear in mind other considerations, such as legal, regulatory, and contractual requirements. It is certainly related to information but not always linked to information security. Sometimes the requirements are related to an influenced decision; or a client imposing a preference during contracting for the service to be provided for instance. Such requirements are not to be guessed, but to be checked and complied with to avoid troubles later, either with clients or with authorities, when things get graver than we wish.
What does it take to get there?
To answer this question, let us have a look at what an information security expert does in a mission of implementing and/or auditing an ISMS (Information Security Management System) in conformity with the ISO/IEC 27001 standard, in this instance, the expert should:
- Meet with the top management, interested parties, managers, technicians, and users
- Make presentations, introduce the project and gain approvals, report progress and results, etc.
- Meet with process owners to secure and document the processes. This includes non-IT processes
- Conduct Awareness and training sessions for users
- Conduct Self-Check, gap analysis, or audits
- Ensure follow-up of action plans, etc.
The incomplete list of tasks mentioned above implies that the information security expert must have information security skills, which is normal, but what most professionals forget about is the non-technical skills required for this job to be done. An information security expert must:
- Be a good negotiator in order to convince the interested parties about the project, or parts of it, to get their approval and engagement.
- Have good communication skills to get the message delivered and understood by your interlocutor.
- Be a good presenter with good presentation skills to be able to deliver the message and grab the attention of your audience through presentation techniques.
- Be a good trainer since your audience will be of various domains and definitely not simply information security. The trainer creates threats by conducting training/awareness sessions when participants attend and do not fully understand the content! An unaware user is a threat in itself to the business.
- Be a good project manager to ensure the steering and the smooth execution of the action plans, as well as meeting the deadlines.
- Be polyvalent. Conduct audits of all of ISMS and be willing to verify the effectiveness of all processes (facilities, physical security, human resources, etc.). You must have at least a general understanding of all those processes.
Besides all of these skills, an information security expert should have real-life experience in information security and IT, preferably in cybersecurity, in various missions for various clients of different business sectors, ideally in different countries. Otherwise, you will only have theoretical skills which do not assist as much as one would think.
Maintaining the level of expertise: A choice or a dilemma?
Some jobs require few updates and learnings whereas some no updates at all. Once a student gets their degree, they are good to go. In information security and cybersecurity, one long pause can make an expert with 20 years of experience a simple information security professional with an outdated skillset.
The issue is that technologies are moving fast, bringing new vulnerabilities, new threats, techniques, and then new frameworks, standards, laws, and regulations.
Which makes it hard for an information security expert to keep his level of expertise.
Getting to the next level is another story. It costs money, time, and effort to learn and acquire new skills. An expert calculates the Return-On-Investment of any advancement or study they want to take each time.
Indeed, an expert cannot choose whether to continuously upgrade their skill set and stay up-to-date, it is their only option.
What is it like to work in the domain of information security?
There are three roles that an information security expert can have: An implementer (also called an adviser or a consultant), an auditor (or an assessor), and finally a trainer (or an instructor).
As an implementer, when the work is done for a consulting firm, they are appreciated as they bring revenue to the company by delivering expertise to clients. This applies to audit and training roles as well. But clients have a different opinion. The mid-management sees them as an overpaid resource, so they are expected to deliver more than internal resources.
As an auditor, it depends on where the auditor is coming from; an authority, a regulator, a certification body, a client exercising their right of an audit, a consultancy firm to conduct a readiness audit as a preparation of a certification audit for example, or from an internal department, for instance, an Internal Audit. Respectively, the auditor has less and less power and independence.
An auditor selected by a regulator to conduct a regulatory audit would not mind sending a report full of red flags, while an internal auditor, in some companies depending on the management, may think twice before mentioning a minor non-conformity in their report, especially when the source of the issue comes from the senior management.
A good trainer knows how to lead the course, they are experts and know how to best explain their expertise. There are instances where the candidates can provoke the trainer, perhaps testing their knowledge, however, those are easy situations to maneuver with professionalism.
In some jobs, the risks are physical, whereas in information security, when a risk scenario occurs and it is not managed as intended, the first person asked questions is the Risk Manager.
Questions can be queries to learn from a mishap for next time, it can be a polite (sometimes impolite) way to accuse negligence or lack of skill, direct accusation of intentional fraud, or theft when it comes to financial transactions in a bank, for example.
Depending on the business criticality and its context (authorities, regulators, clients, and providers), the seriousness of an information security expert’s responsibility may vary.
I would say that information security stands for responsibility. It can often be perceived as a profession that does not require an immense amount of seriousness and most people that work in this field tend to be humorous, on that note I would like to clarify the fact that being humorous does not indicate a lack of seriousness, responsibility, and professionalism, on the contrary, it is the opposite, as it takes endurance to get there.
Many information security consultants and professionals who are happy with their job and achievements, complain from time to time, which is natural, nonetheless, they are content.
Work-life balance
Given the amount of news and the changes in technologies, standards, frameworks, laws, and regulations, an expert finds themselves obliged to spend sleepless nights often, between learning new things and working overtime to meet deadlines. That easily leads to time away from loved ones, passions, or hobbies one may have, therefore, being able to create a balanced schedule and manage time correctly is of utmost importance.
Achieving a healthy work-life balance may take some time and determination, as the need to set boundaries for yourself, is fundamental. Being able to manage time correctly, between work and personal life, may be a bit of a juggle initially, but a definite tip from my side would be having a set daily work schedule, realizing your peak productivity hours, and taking advantage of that timing.
Always keep in mind the importance of your health, be that mental or physical. Make sure you are making time for your hobbies, passions, and the things that bring you joy aside from work.
As lovely as a rich professional career is, we must never forget to make time for ourselves, friends, and family.